Clickjacking: Attacks and Defenses
Total Page:16
File Type:pdf, Size:1020Kb
Clickjacking: Attacks and Defenses Lin-Shung Huang1, Alex Moshchuk2, Helen Wang2, Stuart Schechter2, and Collin Jackson1 1Carnegie Mellon University 2Microsoft Research Example: Likejacking attacker.com Claim your FREE iPad attacker.com The user is tricked to click on something he didn’t intend to click on 2 Outline • Defining clickjacking • Existing defenses are insufficient – We evade them with three new attack variants – Our user study on Amazon Mechanical Turk shows that people fall for these attacks • New defense to address root causes – Our user study demonstrates its effectiveness 3 Defining clickjacking • Prerequisite: multiple mutually distrusting applications sharing the same display • An attack application compromises context integrity of another application’s UI when the user acts on the UI Visual integrity Context integrity consists of Target is visible visual integrity + temporal integrity Pointer is visible 1. Target checked 2. Initiate click 3. Target clicked Temporal integrity Target = Target clicked checked 4 Pointerclicked = Pointerchecked Compromise visual integrity – target • Hiding the target • Partial overlays $ 0 $ 0 Click 5 Compromise visual integrity – pointer • Manipulating cursor feedback Claim your FREE iPad 6 Compromise temporal integrity • Bait-and-switch Claim your FREE iPad 7 EXISTING DEFENSES 8 Existing defenses to protect visual integrity • User confirmation – degrades user experience • UI randomization – unreliable (e.g. multi-click attacks) • Framebusting (X-Frame-Options) – incompatible with embedding 3rd-party objects • Opaque overlay policy (Gazelle browser) – breaks legitimate sites • Visibility detection on click (NoScript) – false positives 9 Protecting temporal integrity • Imposing a delay after displaying UI – annoying to user None of current defenses consider pointer 10 NEW ATTACK VARIANTS 1. Accessing user’s webcam 2. Stealing user’s email 3. Revealing user’s identity 11 Evaluating attacks • 2064 Amazon Mechanical Turk web users – 25 cents per user – Users can only participate once, and only for one treatment 12 Attack #1: Accessing User’s Webcam Fake cursor Real cursor Attack technique: cursor-spoofing Attack success: 43% (31/72) 13 Attack #2: Stealing User’s Emails Attack technique: pop-up window Attack success: 47% (43/90) 14 Attack #3: Revealing User’s Identity • Whack-a-mole game Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84) 15 InContext Defense 16 Design Goals • Should support embedding 3rd-party objects • Should not prompt users for their actions • Should not break existing sites • Should be resilient to new attack vectors 17 InContext Defense • A set of techniques to ensure context integrity for user actions • Server opt-in approach – Let websites indicate their sensitive UIs – Let browsers enforce context integrity when users act on the sensitive UIs attacker.com 18 Ensuring visual integrity of target • Dynamic OS-level screenshot comparison – processing delay on click < 30ms (prototype on IE 9) What is displayed What should be seen (OS screenshot) (Reference bitmap) 19 Ensuring visual integrity of pointer • Remove cursor customization – Attack success: 43% -> 16% 20 Ensuring visual integrity of pointer • Freeze screen around target on pointer entry – Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%) Margin=10pxMargin=20px 21 Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry – Attack success (Freezing + lightbox): 2% 22 Enforcing temporal integrity User checks target Enforce User clicks target temporal integrity System delivers click to target app • UI delay: after visual changes on target or pointer, invalidate clicks for X ms • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target 23 Enforcing temporal integrity • UI delay: after visual changes on target or pointer, invalidate clicks for X ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89) 24 Enforcing temporal integrity • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88) 25 Whack-a-mole attack • Exclude victims who were moving their pointer around the Like button for many seconds, and deliberating whether or not to click • Defense against clickjacking aspects – Screen freezing, margin=20px: 98% -> 16% – Screen freezing, margin=20px, pointer entry delay=500ms: 4% – Screen freezing, margin=20px, pointer entry delay=1000ms: 1% • Social eng. aspects – 63% users intentionally clicked on Like button after our defenses made them fully aware of this 26 Conclusion • We demonstrated new clickjacking variants that can evade current defenses • Our user studies show that our attacks are highly effective (success rates 43% to 98%) • Our InContext defense can be very effective against clickjacking – Ongoing efforts: UI Safety W3C proposal 27 QUESTIONS? [email protected] 28 .